DH parameter reading in OPENSSL 3

Dirk Stöcker openssl at dstoecker.de
Wed Jul 13 16:47:15 UTC 2022


> https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dh.c#L148-L205

Thanks a lot. Works in principle now with one exception. The previous 
approach worked for a file, where first comes the PEM certificate and 
afterwards the DH params. The new approach only works when the file has 
nothing than the DH params inside. Is there a chance to get that behaviour 
back or do I need to load the file and strip the certificate myself?

>> Now it seems the default can be replaced by
>>   SSL_CTX_set_dh_auto(context, 1);
> This is preferred over all explicit parameter choices, as it allows the
> server and client to negotiate a common known-strong group.

I thought so and this also will be the default.

Freedom in Peace
https://www.dstoecker.eu/ (PGP key available)

More information about the openssl-users mailing list